IC card equipped with elliptic curve encryption processing facility

ABSTRACT

In an IC card incorporating residual multiplier hardware for implementing a high-speed algorithm for a residual multiplication arithmetic, a method and a device capable of executing a public key encryption processing such as an elliptic curve encryption processing at a high speed. Residual arithmetic succeeding to generation of a random number and residual arithmetic in a signature generating processing can be executed by using a residual multiplier. Further, in order to use effectively the residual multiplier for arithmetic operation on an elliptic curve, the point on the elliptic curve is transformed from a two-dimensional affine coordinate system to a three-dimensional coordinate system. Additionally, multiplicative inverse arithmetic for realizing reverse transformation from the three-dimensional coordinate system to the two-dimensional affine coordinate system as well as for determining a signature s can be executed only with the residual multiplication arithmetic. By making use of the residual multiplier in this manner, the processing speed can be increased. Computation complexity can be reduced by storing previously those parameters which are used frequently and constant multiplies of a base point of the elliptic curve in the form of tables, which also contributes to increasing of processing speed.

BACKGROUND OF THE INVENTION

[0001] The present invention relates generally to an IC card (integratedcircuit card) capable of processing encryption data or information. Moreparticularly, the invention is concerned with a method capable ofexecuting at a high speed elliptic curve encryption processing in anencryption processing in which hardware designed for executing ahigh-speed algorithm for a residual multiplication arithmetic(multiplication on the set of integers) is adopted and a device such asan IC card in which the above-mentioned method is adopted.

[0002] For having better understanding of the present invention,technical background thereof will first be described in some detail. Asan encryption scheme for a public key crypto-system, there is known anRSA encryption scheme which was invented by Rivest, Shamir and Adlemanin 1978. The basic principle underlying the RSA encryption will bereviewed below.

[0003] Basic Principle of RSA Encryption

[0004] Representing a secret key by (d, n), a public key by (e, n), aplaintext by M and a co-processor by c, respectively, then theencryption and the decryption can be represented, respectively, by thecalculation formulae mentioned below.

[0005] Encryption: C≡M^(e) (mod n), and

[0006] decryption: M≡C^(d) (mod n).

[0007] In the above expressions, n is given by p·q where p and grepresent large prime numbers, respectively which satisfy the conditionsthat λ(n)=LCM {(p−1), (q−1)} (where LCM represents a least commonmultiple), GCD {e, λ(n)}=1 (where GCD represents a greatest commondivisor), and that d=e⁻¹ mod λ(n).

[0008] The security of the RSA encryption is ensured by the fact that itis very difficult to factorize n into prime factors. In thisconjunction, it is recommended to employ large integers on the order of1024 bits as the parameters such as e, d, n, M and so forth. In thatcase, modular multiplication on the set of integers (hereinafterreferred to also as the residual multiplication arithmetic) has to beconducted 1534.5 times on an average for a single processing inaccordance with the encryption formula C≡M^(e) (mod n), when such abinary operation method is resorted to, which is described in detail inD. E. Knuth: “SEMINUMERICAL ALGORITHMS ARITHMETIC”, The Art of ComputerProgramming, Vol. 2, Addison-Wesley, 1969.

[0009] Furthermore, as another encryption scheme belonging to the publickey crypto-system, there may be mentioned an elliptic curve encryptionprocessing proposed by Koblitz and Miller independently in 1985. Thebasic principle underlying this elliptic curve encryption will bereviewed below.

[0010] Principle of the Elliptic Curve Encryption

[0011] Representing the order of a finite field by a prime number pwhile representing by a and b the parameters which determine theelliptic curve, a set which includes a set of points capable ofsatisfying the conditions given by the undermentioned expression andwhich is added with a virtual point at infinity is referred to as theelliptic curve Ep. For the convenience of illustration, the ellipticcurve Ep of concern is presumed to be capable of being represented onthe affine coordinate system.

Ep: y ² ≡x ³ +ax+b (mod p)

[0012] Addition between two points P₁ and P₂ on the elliptic curve,i.e., P₃=P₁+P₂ (where P_(l)=(x_(l), y_(i))), can be defined as follows:

[0013] Case where P₁≠P₂

[0014] In this case, the arithmetics as involved will hereinafter bereferred to as the elliptic addition arithmetic.

[0015] The elliptic addition arithmetic includes addition performed zerotimes, subtraction performed six times, multiplication performed twiceand division performed once, as follows:

λ=(y ₂ −y ₁)/(x ₂ −x ₁),

x ₃=λ² −x ₁ −x ₂, and

y ₃=λ(x ₁ −x ₃)−y ₁

[0016] Case where P₁=P₂

[0017] In this case, the arithmetic will hereinafter be referred to asthe elliptic by-two-multiplication arithmetic.

[0018] The elliptic by-two-multiplication arithmetic includes additionperformed once, subtraction performed three times, multiplicationperformed three times and division performed once, as follows:

λ=(3×12+a)/2y ₁ , x ₃=λ² −2×1 and

y ₃=λ(x ₁ −x ₃)−y ₁

[0019] At this juncture, it should be mentioned that all the arithmeticoperations mentioned above are performed on a residue system to modulusP.

[0020] The security of the elliptic curve encryption described above isbased on the fact that when a point derived through multiplication of apoint A on the elliptic curve by x (i.e., the point obtained by adding“A” x times) is represented by B(=x·A), extreme difficulty will beencountered in finding the value of x on the basis of the values of thepoints A and B if known. This feature is known as the elliptic curvediscrete logarithm problem. In order to ensure the security comparableto that realized by the 1024-bit RSA encryption described previously, itis recommended that each of the parameters such as p, a, x_(i), y_(i),etc. be an integer on the order of 160 bits.

[0021] The arithmetic operation for determining the point (k·P)corresponding to multiplication of a point P by k, which constitutes oneof the basic arithmetic operations for the elliptic curve encryption,can be realized by computation in accordance with the addition on theelliptic curve (elliptic curve addition) mentioned above. In thisconjunction, it is noted that the modular division on the set ofintegers (hereinafter also referred to as the residual divisionarithmetic) has to be conducted in order to determine λ. The residualdivision arithmetic (i.e., modular division on the set of integers) cangenerally be coped with by resorting to an algorithm such as an extendedEuclidean algorithm or the like, which requires, however, lots ofprocessing times. Such being the circumstances, there is widely adoptedthe method or scheme for realizing the arithmetics on the elliptic curveby transforming a point on a two-dimensional affine coordinate systeminto a point on a three-dimensional coordinate system without resortingto the residual division arithmetic processing. For more particulars ofthis scheme, reference may be made to D. V. Chudnovsky and G. V.Chudnovsky: “SEQUENCES OF NUMBERS GENERATED BY ADDITION IN FORMAL GROUPSAND NEW PRIMALITY AND FACTORIZATION TESTS”, Advances in AppliedMathematics, Vol. 7, pp. 385-434, 1986. By way of example, when theaddition arithmetics on the elliptic curve Ep in the two-dimensionalaffine coordinate system is transformed into addition arithmetics in thethree-dimensional projective coordinate system so that the conditionsgiven by x≡X/Z² (mod p) and y≡Y/Z³ (mod p) can be satisfied, theaddition arithmetics are defined as follows:

[0022] The elliptic addition arithmetic includes addition performedtwice, subtraction performed five times, multiplication performedsixteen times and division performed zero times, as follows:

X ₃ =R ² −TW ²,

2Y ₃ =VR−MW ³, and

Z ₃ =Z ₁Z₂W

[0023] where

W=X ₁ Z ₂ ² −X ₂ Z ₁ ²,

R=Y ₁ Z ₂ ³ −Y ₂ Z ₁ ³,

T=X ₁ Z ₂ ² +X ₂ Z ₁ ²,

M=Y ₁ Z ₂ ³ −Y ₂ Z ₁ ³, and

V=TW ²−2X ₃.

[0024] The elliptic by-two-multiplication arithmetic includes additionperformed once, subtraction performed three times, multiplicationperformed ten times and division performed zero times, as follows:

X ₃ =M ²−2S,

Y ₃ =M(S−X ₃)−T, and

Z ₃=2Y ₁ Z ₁

[0025] where

M=3X ₁ ² +aZ ₁ ⁴,

S=4X ₁ Y ₁ ², and

T=8Y ₁ ⁴

[0026] At this juncture, it should be mentioned that all the arithmeticoperations mentioned above are performed on a residue system to modulusp.

[0027] As another example of the coordinate transformation methods,there may be mentioned a coordinate transformation to athree-dimensional homogeneous coordinate system such that the conditionsgiven by the following expressions can be satisfied.

x≡X/Z (mod p), and

y≡Y/Z (mod p)

[0028] At this juncture, it should however be noted that the residualdivision arithmetic (i.e., division on the set of integers) has to beexecuted once upon reverse transformation from the three-dimensionalcoordinate system to the two-dimensional coordinate system.

[0029] Assuming, by way of example, that a 160-bit elliptic curveencryption is transformed to that on the three-dimensional projective ormapping coordinate system, and that the k·P arithmetic is realized byusing the binary operation scheme mentioned hereinbefore, the residualmultiplication arithmetic will have to be performed as many times as2862 times on an average.

[0030] As will now be appreciated from the foregoing description, in thepublic key encryption scheme such as the RSA encryption method and theelliptic curve encryption method, lots of residual multiplicationarithmetic processings (i.e., modular multiplications on the set ofintegers) are required as the basic arithmetic operation. Such being thecircumstances, there have been developed and proposed methods or schemesfor speeding up the residual multiplication arithmetic by resorting to ahigh-speed algorithm for the residual multiplication arithmetic, tothereby speed up the encryption processing on the whole.

[0031] In particular, in the RSA encryption scheme, the arithmeticoperations therefor are in large part the residual multiplicationarithmetic. Thus, there has been realized such hardware designed forexecuting the high-speed algorithm for the residual multiplicationarithmetic. Further, the IC card capable of executing the RSA encryptionprocessing at a high speed has been realized by employing such hardwareso as to meet the stipulation of the IC Card Standards ISO7816.

SUMMARY OF THE INVENTION

[0032] By contrast, in the case of the elliptic curve encryption scheme,residual four-rules arithmetics are required as the basic arithmeticoperations. Among the residual four-rules arithmetics, the residualdivision arithmetic requires lots of processing time, which presents aserious problem to the approach for speeding up the elliptic curveencryption processing. Parenthetically, a method or scheme fordecreasing the number of times the residual division arithmetic has tobe executed in the elliptic curve encryption processing and a scheme forspeeding up the residual division arithmetic have already been proposedin J. Niiho: “APPLICATION OF MONTGOMERY ARITHMETICS TO ELLIPTIC CURVEENCRYPTION”, SCIS, 1997 (The 1997 Symposium on Cryptography andInformation Security). However, it is noted that attempt for applyingthe methods disclosed in the above literature to the devices such as theIC card stipulated in the Standards ISO7816 will unavoidably limited inview of the present state of the semiconductor technology. Thus, lot oftime will be taken for the multiplicative inverse arithmetic operationin the residual division arithmetic, making it difficult to enhance theprocessing speed.

[0033] Accordingly, in the light of the state of the art describedabove, it is an object of the present invention to provide a methodcapable of executing at a high speed the elliptic curve encryptionprocessing in an encryption processing in which hardware designed forexecuting a high-speed algorithm for the residual multiplicationarithmetic is adopted.

[0034] Another object of the invention is to provide a device such as anIC card in which the above-mentioned method is adopted.

[0035] Yet another object of the present invention is to provide amethod capable of executing at a high speed the digital signatureprocessing in a device such as, e.g. an IC card, in which hardwaredesigned for executing a high-speed algorithm for the residualmultiplication arithmetic (i.e., modular multiplication on the set ofintegers) is adopted.

[0036] Still another object of the invention is to provide a device suchas an IC card in which the method mentioned just above is adopted.

[0037] It is a further object of the present invention to provide amethod capable of speeding up the multiplicative inverse arithmetic inthe residual division arithmetic (i.e., modular division on the set ofintegers) in the elliptic curve encryption processing.

[0038] It is also an object of the present invention to provide a devicein which the method mentioned just above is adopted.

[0039] In view of the above and other objects which will become apparentas the description proceeds, there are provided according to aspects ofthe present invention undermentioned scheme or arrangements for carryingout the invention.

[0040] At first, according to an aspect of the present invention whichis directed to a device such as, for example, an IC card, which includeshardware for executing a high-speed algorithm for the residualmultiplication arithmetics (hereinafter the hardware will be referred toas the residual multiplier), there is provided an elliptic curveencryption processing method in which arithmetic operations involved inthe elliptic curve encryption processing are realized largely by theresidual multiplication arithmetics (i.e., modular multiplication on theset of integers) so that the residual multiplier can be utilizedeffectively.

[0041] More specifically, the residual arithmetics performed insuccession to generation of random numbers required for the ellipticcurve encryption processing and the residual arithmetics involved in thesignature generation processing are so structurized as to be capable ofbeing executed by using the residual multiplier. Furthermore, in orderto make it possible to utilize effectively the residual multiplier forthe elliptic curve arithmetics, the residual division arithmetic (i.e.,modular division on the set of integers) involved in the elliptic curveaddition arithmetic is transferred into the residual multiplicationarithmetic by transforming points on an elliptic curve in thetwo-dimensional affine coordinate system into those in athree-dimensional coordinate system, wherein the residual multiplicationarithmetic is executed by making use of the residual multiplier.

[0042] According to another aspect of the present invention which isdirected to the scheme for speeding up the multiplicative inversearithmetic, the multiplicative inverse arithmetics required not only inthe coordinate system transformation from the three-dimensionalcoordinate system to the two-dimensional affine coordinate system butalso in generating the signature data are realized by resorting to theresidual multiplication arithmetic (i.e., modular multiplication on theset of integers). The multiplicative inverse arithmetic for the residuesystem is ordinarily realized by making use of algorithm such asextended Euclidean algorithm. However, in the case where modulus to theresidue or remainder is prime number, the multiplicative inversearithmetic can be realized by using only the residual multiplicationarithmetic without need for relying on the algorithm such as theextended Euclidean algorithm. This will be elucidated below.

[0043] According to the Fermat's theorem, the statement given by theundermentioned expression can apply valid to a positive integer α whichis relatively prime to a prime number β:

_(α)β−1≡1 (mod β)

[0044] According to this theorem, the multiplicative inverse arithmetic“α⁻¹ mod β” can be expressed as follows:

α⁻¹≡α^(β−2) (mod β)

[0045] According to an aspect of the present invention, the values ofthe order p of a finite field and the order n of a base point arerepresented by prime numbers of large values, respectively, so that thecondition for fulfilling the Fermat's theorem mentioned above, i.e., thecondition that the prime number β and the positive integer a arerelatively prime, can always be satisfied. Accordingly, the value orquantity α⁻¹ mod β is equal to the quantity α^(β−2) mod β. Thus,assuming, by way of example, that the residual multiplication arithmeticis performed by resorting to the binary operation method, the value ofmultiplicative inverse, i.e., α⁻¹ mod β, can be determined by performingthe residual multiplication arithmetic by a number of times given by((|β−2|−1)×3/2), where |β−2| represents bit number of (β−2). By adoptingthe method mentioned above, it is also possible to reduce the programsize or scale because of no necessity of preparing the algorithm such asEuclidean algorithm or the like as a program(s).

[0046] In an arrangement according to another aspect of the presentinvention, those parameters which are used very frequently in thearithmetic operations and which can be calculated beforehand with apersonal computer or the like are previously determined to be stored asone of system information in a rewritable nonvolatile memoryincorporated in the IC card. Thus, computational complexity of thearithmetic processing can be reduced. In this conjunction, as the datato be stored previously in the rewritable nonvolatile memory as thesystem information, there may be mentioned order p of a finite field,values “aR mod p” resulting from transformation of elliptic curveparameter a, point (X, Y, Z) which can be obtained by transformingtwo-dimensional affine coordinates (x, y) of a point P (base point) onthe elliptic curve into coordinates in a three-dimensional projectivecoordinate system, which coordinates are then transformed to beappropriate for a residual multiplication arithmetic unit, order n ofthe base point, secret key d, values “2R mod p”, “3R mod p”, “4R mod p”,“8R mod p” and “2⁻¹R mod p” resulting from transformation of constants,respectively, which are employed in the elliptic curve arithmetics, andvalues “R mod p”, “R mod n”, “R² mod p” and “R² mod n” employed in theresidual multiplication arithmetic. In the above description, Rrepresents a positive integer which satisfies the condition that R=2|p|,where |p| represents the bit number of the order p of the finite field.

[0047] According to yet another aspect of the present invention, thereis provided an IC card in which points corresponding to integermultiples of the base point are stored in a rewritable nonvolatilememory incorporated in the IC card in the form of tables with a view toreducing the computation overhead by decreasing the number ofprocessings involved in the elliptic curve addition arithmetics. In thisconjunction, it should be mentioned that the computational overhead canbe reduced as the number of the table increases. However, the amount ofdata (i.e., data size) to be stored in the rewritable nonvolatile memorywill then increase correspondingly. Accordingly, it is also taught bythe invention that points obtained by exponentiation of the base pointsby four are stored in the memory in the form of tables. In that case,the number of the points stored as the tables, i.e., the number oftables, is given by |p|/2, where |p| represents the bit number of theorder p of the finite field. The tabled values are transformed intocoordinates on a three-dimensional projective coordinate system and thentransformed to points given by P_(i) (X_(i), Y_(i), Z_(i)) suited forarithmetics executed by the residual multiplier. In the expressionmentioned just above, i represents an integer satisfying the conditionthat 0≦i<|p|/2.

[0048] In the case where the large memory capacity is available, thepoints resulting from exponentiation of the base points by two may bestored as tables. In that case, the arithmetic operations on theelliptic curve may be structurized only with the elliptic additionarithmetics, whereby the number of processings as required can bereduced.

[0049] In general, when the values of points resulting from 2^(n) (wheren represents a natural number) of the base points are stored as tables,the number of the tables is given by |p|/n, where |p| represents the bitnumber of order p of the finite field. In practical applications, thenumber of the tables may be determined by taking into account thecomputation performance of a CPU and the capacity of a memory destinedfor storing the tables.

[0050] Other subjects, features and advantages of the present inventionwill become apparent from the following detailed description of theembodiments taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0051] In the course of the description which follows, reference is madeto the drawings, in which:

[0052]FIG. 1 is a schematic block diagram showing generally anarrangement of a device to which the present invention can findapplication;

[0053]FIG. 2 is a flow chart for illustrating a signature generationprocedure based on the elliptic curve encryption method according to anembodiment of the invention;

[0054]FIG. 3 is a flow chart for illustrating in detail a sequence ofprocessings in a step 203 shown in FIG. 2;

[0055]FIG. 4 is a flow chart for illustrating in detail an ellipticaddition arithmetic in the processing procedure shown in FIG. 3;

[0056]FIG. 5 is a flow chart for illustrating in detail ellipticby-two-multiplication arithmetic in the processing procedure shown inFIG. 3;

[0057]FIG. 6 is a flow chart for illustrating in detail a sequence ofprocessings in a step 204 shown in FIG. 2; and

[0058]FIG. 7 is a flow chart for illustrating in detail a sequence ofprocessings in a step 205 shown in FIG. 2.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0059] Now, the present invention will be described in detail inconjunction with what is presently considered as preferred or typicalembodiment thereof by reference to the drawings. In the followingdescription, like reference characters designate like or correspondingparts throughout the several views.

[0060]FIG. 1 is a schematic block diagram showing generally anarrangement of a digital signature system which is incorporated in an ICcard by making use of a microcomputer such as, for example, amicrocomputer of H8/3111-model commercially available from Hitachi, Ltd.and in which addition arithmetic on the elliptic curve in a finite fieldis employed. Referring to FIG. 1, the IC card denoted generally byreference numeral 101 includes a CPU (Central Processing Unit) 102, aROM (Read-Only Memory) 103 destined for storing operation instructionsinvolved in carrying out the present invention, an EEPROM (ElectricallyErasable and Programmable Read-Only Memory) 104 serving as a rewritablenonvolatile memory for storing system information and data such as thefinite field orders, elliptic curve parameters and the like, an I/O(input/output) port 105 for controlling input/output to/from the IC card101, a RAM (Random Access Memory) 106, a residual multiplier 107 capableof executing or performing the residual multiplication arithmetic(modular multiplication on a set of integers), a power supply terminal(Vcc) 110, a ground terminal (Vss) 111, a clock terminal (CLK) 112, areset terminal (RES) 113 and an I/O (input/output) terminal (I/O) 114.The individual terminals of the IC card 101 are electrically connectedto relevant components incorporated in the IC card 101. Theabove-mentioned residual multiplier 107 which is designed for performingresidual multiplication arithmetic may be constituted by a co-processorof the Hitachi Microcomputer Model H8/3111 mentioned above. Of course,other equivalent co-processor can be employed to this end.

[0061] The residual multiplier 107 mentioned above incorporates aCPU/residual-multiplier-shared RAM 109 which can be used in common byboth the residual multiplier 107 and the CPU 102, wherein the RAM 109includes at least three data registers CDA, CDB and CDN. Arithmeticoperations performed by the residual multiplier 107 are executed withinput data being stored in the data registers CDA, CDB and CDN,respectively. In that case, the result of the arithmetic operationcarried out by the residual multiplier 107 is stored in the dataregister CDA by rewriting the value thereof. In this conjunction, itshould however be noted that the values of the data registers CDB andCDN remain unchanged after the arithmetic operation. Further, it shouldbe mentioned that the residual multiplier 107 is so designed as to becapable of executing or performing any given one of the three types ofarithmetic operations mentioned below in response to a commanddesignating the operation type.

[0062] Namely,

[0063] CDA←(CDA·CDB) R⁻¹ mod (CDN) (hereinafter referred to as theresidual arithmetic 1),

[0064] CDA←(CDA²) R⁻¹ mod (CDN) (hereinafter referred to as the residualarithmetic 2), and

[0065] CDA←(CDA) R⁻¹ mod (CDN) (hereinafter referred to as the residualarithmetic 3).

[0066] The individual elements or components incorporated in the IC card101 such as mentioned previously are interconnected through the mediumof a bus 108.

[0067] Furthermore, representing by a prime number p the order of anfinite field, the elliptic curve Ep employed in carrying out the presentinvention can be represented by a set corresponding to a set of pointswhich can satisfy the undermentioned expression for the parameters (a,b) which determine the elliptic curve and added with a virtual point atinfinity. For the convenience's sake, the elliptic curve Ep of concernis presumed to be represented on the affine coordinate system.

Ep: y ² x ³ +ax+b (mod p)

[0068] Furthermore, the base point is represented by P(x, y), the orderof which is represented by a prime number n.

[0069] (1) Storage of System Information

[0070] Stored in the EEPROM 104 are order p of a finite field, value “aRmod p” resulting from transformation of elliptic curve parameter a,point P_(i)(X_(i), Y_(i), Z_(i)) (where i represents an integersatisfying the condition that 0≦i <|p|/2 with |p| representing bitnumber of a finite field order p) which can be obtained by transformingtwo-dimensional affine coordinates (x, y) of a point P (base point) onthe elliptic curve into coordinates in a three-dimensional projectivecoordinate system, which coordinates are then transformed to be properto the residual multiplication arithmetic unit, order n of the basepoint, secret key d, values “2R mod p”, “3R mod p”, “4R mod p”, “8R modp” and “2⁻¹R mod p” resulting from transformation of constants,respectively, which are employed in the elliptic curve arithmetics, andvalues “R mod p”, “R mod n”, “R² mod p” and “R² mod n” used in theresidual multiplication arithmetic. In the above statement, R representsa positive integer which satisfies the conditions that R>p and that R>n,e.g. a smallest positive integer which has a bit length equal to agreater one of either |p|+1 or |n|+1. Storage of the system informationis performed before the encryption processings described below areexecuted. Parenthetically, in the above statements, R assumes anumerical value given as a constant and represents a parameterdetermined in dependence on the arithmetic performance of, by way ofexample, the co-processor which constitutes or serves as a multiplelength arithmetic unit.

[0071] (2) Generation of Digital Signature

[0072] FIGS. 2 to 7 are flow charts for illustrating a processingprocedure for generation of a digital signature which is performed bythe elliptic curve encryption processing unit according to the instantembodiment of the present invention. At first, the signature generationprocedure will be described generally by reference to FIG. 2.

[0073] In the flow charts referenced in the following description, it ispresumed that the CPU 102 executes the program stored in the ROM 103while allowing the residual multiplier 107 to execute the relevantprocessing by using the data stored in the RAM 106 and the EEPROM 104,as occasion requires.

[0074] Step 201: Processing procedure is started.

[0075] Step 202: A random number k is generated, whereon the randomnumber k as generated is stored in the data register CDA incorporated inthe residual multiplier 107 while the value “R mod n” stored in theEEPROM 104 is set or placed in the data register CDB equallyincorporated in the residual multiplier 107, for thereby allowing theresidual multiplier 107 to execute the residual arithmetic 1 definedpreviously. The result of execution as stored currently in the dataregister CDA is set as the updated or renewed random number k.

[0076] Step 203: The random number k generated in the step 202, thesystem information p, value “aR mod p” and the point coordinates dataP(X, Y, Z) stored in the EEPROM 104 are inputted to execute thecalculation k·P, i.e., multiplication of the base point P on theelliptic curve by the random number k. This calculation can be achievedby performing elliptical addition arithmetic on the finite field in thethree-dimensional projective coordinate system, i.e., scalar multiplearithmetic by means of the CPU 102. In that case, the residualmultiplication arithmetic involved in the elliptical addition arithmeticcan be carried out by using the residual multiplier 107 which isconstituted by the co-processor, as mentioned previously.

[0077] Step 204: The point coordinate data (X, Y, Z), i.e., the resultof execution in the step 203, represents a point in thethree-dimensional projective coordinate system, as mentioned above.Accordingly, the point coordinate data (X, Y, Z) has to be transformedinto a point coordinate (x, y) on the two-dimensional affine coordinatesystem. The arithmetic operation for this coordinate transformation canbe represented by x≡X/Z² (mod p). However, the arithmetic operationgiven by x≡XZ^(p−3) (mod p) can be carried out to this end, because theformula x≡X·Z^(p−3) (mod p) can apply valid in view of the Fermat'stheorem. Thus, in place of the residual division arithmetic, theresidual multiplication arithmetic (i.e., x≡XZ^(p−3) (mod p)) is carriedout with the aid of the residual multiplier 107. In this manner, byusing the formula x≡XZ^(p−3) (mod p) instead of the formula x≡X/Z² (modp), the coordinate transformation can be realized only with the residualmultiplication arithmetic without resorting to the residual divisionarithmetic.

[0078] Step 205: By using the random number k generated in the step 202,the hash value H(M) for the message M inputted by way of the I/O port105 from the I/O terminal (I/O) 114, the secret key d stored in theEEPROM 104, the order n of the base point and the value or quantity “xmod p” calculated in the step 204, the arithmetic operations mentionedbelow are carried out.

[0079] For generation of signature r, r≡x (mod n), and for generation ofsignature s, s≡k⁻¹. (H(M)+d·r) (mod n).

[0080] The arithmetic operation for generating the signature s in theabove-mentioned arithmetic operations requires the multiplicativeinverse arithmetic. This multiplicative inverse arithmetic can berealized by replacing the residual division arithmetic given by “k⁻¹ modn” by the residual multiplication arithmetic “k^(n−2) mod n”, as in thecase of the processing in the step 204. As readily appreciated, theresidual multiplication arithmetic “k^(n−2) mod n” can be realized withthe residual multiplier 107. The result of this arithmetic operationrepresents a signature (r, s) which is outputted as the digitalsignature for the message M by way of the I/O port 105 from the I/Oterminal (I/O) 114.

[0081] Step 206: The processing comes to an end.

[0082] Next, description will be turned to a processing procedure forgeneration of the digital signature according to the instant embodimentof the invention by reference to FIG. 3 to FIG. 7.

[0083]FIG. 3 is a flow chart for illustrating in detail the processingin the step 203 shown in FIG. 2. In the following, contents of theprocessings in the individual steps shown in FIG. 3 will be described.

[0084] Step 301: Processing procedure is started.

[0085] Step 302: A bit string k=(k_(i), k_(i−1) . . . , k₁, k₀)₂ of therandom number k generated in the step 202 is determined by combiningbits of binary notation on a two-by-two bit basis and the bit string isscanned, starting from the least significant bit side. When k_(i)=“11”,the more significant bit string k_(i+1) than k_(i) is added with “01”.In this manner, the bit string is rewritten up to the most significantbit. Thus, when the original bit string is represented, for example, by“10”, “11”, “10”, “11”, then the bit string after the transformationwill be “01”, “11”, “00”, “11”, “11”. This transformation is performedup to the most significant bit. The resultant bit string is representedby

[0086] k=(k_(l), k_(l−1), . . . , k₁, k₀)₂, where k_(l)≠(00).

[0087] The value of l as obtained is set to the variable i (hereinafterreferred to as the loop counter) as the number of times (l+1) theresidual multiplication arithmetic is to be repeated.

[0088] Step 303: On the basis of a point P_(i)(X_(i), Y_(i), Z_(i))transformed for the residual multiplication arithmetic after thethree-dimensional coordinate transformation of the base point, i.e., atable value, on the elliptic curve which had been stored in the EEPROM104, as described previously, initial value is stored in the RAM 106 torewrite the random number k_(i) for the point P_(i).

[0089] Step 304: The loop counter value i is decremented by one.

[0090] Step 305: Decision is made as to the loop counter value i. If theloop counter value i is smaller than 0 (zero), then the processingproceeds to a step 309 and, if otherwise, to a step 306.

[0091] Step 306: If the value of the random number k_(i) is “00”, thestep 304 is resumed. If the value of the random number k_(i) is “01”,then the elliptic addition arithmetic for adding the table value P_(i)is performed, whereupon the step 304 is resumed. When the value of therandom number k_(i) is “10”, then the elliptic by-two-multiplicationarithmetic is performed by multiplying the table value P_(i) by two andsubsequently the elliptic addition arithmetic is performed for addingthe result of the elliptic by-two-multiplication arithmetic, whereon thestep 304 is resumed. On the other hand, when the value of the randomnumber k_(i) is “11”, the additive inverse for the arithmetic operationto modulus p is determined for the Y-coordinate value of the table valueP_(i) to be placed renewally as the Y-coordinate of the table valueP_(i), and the elliptic addition arithmetic is performed for adding therelevant point, whereupon the step 304 is resumed.

[0092] Step 307: The processing comes to an end.

[0093]FIG. 4 is a flow chart for illustrating in detail the ellipticaddition arithmetic in the processing procedure described hereinbeforeby reference to FIG. 3. In the following, processing contents in theindividual steps shown in FIG. 4 will be described.

[0094] Step 401: Processing procedure is started. In this conjunction,it should be mentioned that since p is stored in the register CDN of theresidual multiplier 107 in the step 303, residual multiplicationarithmetic is performed to modulus p (i.e., modulo p).

[0095] Step 402: The residual arithmetic 2 defined hereinbefore isexecuted by using the residual multiplier 107.

[0096] Step 403: The residual arithmetic 1 defined hereinbefore isexecuted by using the residual multiplier 107.

[0097] Step 404: The residual arithmetic 2 is executed by using theresidual multiplier 107.

[0098] Step 405: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0099] Step 406: The CPU 102 performs the residual subtractionarithmetic (i.e., modular subtraction on the set of integers) to therebyderive an interim value W.

[0100] Step 407: The CPU 102 performs the residual addition arithmeticto thereby derive an interim value T.

[0101] Step 408: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0102] Step 409: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0103] Step 410: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0104] Step 411: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0105] Step 412: The CPU 102 performs the residual subtractionarithmetic (i.e., modular subtraction on the set of integers) to therebyderive an interim value R.

[0106] Step 413: The CPU 102 performs the residual addition arithmetic(i.e., modular addition on the set of integers) to thereby derive aninterim value M.

[0107] Step 414: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0108] Step 415: The residual arithmetic 1 is executed by using theresidual multiplier 107, whereby the Z-coordinate of a point determinedafter the elliptic addition arithmetic can be obtained.

[0109] Step 416: The residual arithmetic 2 is executed by using theresidual multiplier 107.

[0110] Step 417: The residual arithmetic 2 is executed by using theresidual multiplier 107.

[0111] Step 418: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0112] Step 419: The CPU 102 performs the residual subtractionarithmetic, whereby the X-coordinate of a point determined after theelliptic addition arithmetic can be obtained.

[0113] Step 420: The CPU 102 performs the residual subtractionarithmetic to derive an interim value V.

[0114] Step 421: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0115] Step 422: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0116] Step 423: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0117] Step 424: The CPU 102 performs the residual subtractionarithmetic to thereby derive an interim value Y.

[0118] Step 425: The interim value Y and value “2⁻¹R mod p” stored inthe EEPROM 104 are inputted to the residual multiplier 107 to realizethe residual arithmetic 1, whereby the Y-coordinate of the pointdetermined after the elliptic addition arithmetic can be obtained.

[0119] Step 426: The processing comes to an end.

[0120]FIG. 5 illustrates in detail in a flow chart the ellipticby-two-multiplication arithmetic in the processing procedure describedpreviously by reference to FIG. 3. In the following, contents of theprocessings in the individual steps shown in FIG. 5 will be described.

[0121] Step 501: The processing procedure is started. In thisconjunction, it should be mentioned that because p is placed in theregister CDN of the residual multiplier 107 in the step 303, residualmultiplication arithmetic to modulus p (or modulo p) is performed.

[0122] Step 502: The residual arithmetic 2 defined hereinbefore isexecuted by using the residual multiplier 107.

[0123] Step 503: The residual arithmetic 2 is executed by using theresidual multiplier 107.

[0124] Step 504: The residual arithmetic 2 is executed by using theresidual multiplier 107.

[0125] Step 505: The residual arithmetic 1 also defined hereinbefore isexecuted by using the residual multiplier 107.

[0126] Step 506: Value “3R mod p” stored in the EEPROM 104 and value “X₁²R mod p” determined in the step 502 are inputted to the residualmultiplier 107 for thereby executing the residual arithmetic 1.

[0127] Step 507: The CPU 102 performs the residual addition arithmeticto thereby derive the interim value M.

[0128] Step 508: The residual arithmetic 2 is executed by using theresidual multiplier 107.

[0129] Step 509: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0130] Step 510: Value “4R mod p” stored in the EEPROM 104 and value“X₁Y₁ ²R mod p” determined in the step 509 are inputted to the residualmultiplier 107 for thereby executing the residual arithmetic 1, wherebyan interim value S is determined.

[0131] Step 511: The residual arithmetic 2 is executed by using theresidual multiplier 107.

[0132] Step 512: Value “8R mod p” stored in the EEPROM 104 and value “Y₁⁴R mod p” determined in the step 511 are inputted to the residualmultiplier 107 to thereby perform the residual arithmetic 1, whereby theinterim value T can be obtained.

[0133] Step 513: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0134] Step 514: Value “2R mod p” stored in the EEPROM 104 and value“Y₁Z₁R mod p” determined in the step 513 are inputted to the residualmultiplier 107 to thereby execute the residual arithmetic 1, whereby theZ-coordinate of the point determined after the ellipticby-two-multiplication arithmetic can be obtained.

[0135] Step 515: The residual arithmetic 2 is executed by using theresidual multiplier 107.

[0136] Step 516: Value “2R mod p” stored in the EEPROM 104 and theinterim value S are inputted to the residual multiplier 107 to therebyexecute the residual arithmetic 1.

[0137] Step 517: The CPU 102 performs the residual subtractionarithmetic to thereby derive the X-coordinate of the point determinedafter the elliptic by-two-multiplication arithmetic.

[0138] Step 518: The residual arithmetic 1 is executed by using theresidual multiplier 107.

[0139] Step 519: The CPU 102 performs the residual subtractionarithmetic to thereby derive the Y-coordinate of the point determinedafter the elliptic by-two-multiplication arithmetic.

[0140] Step 520: The processing comes to an end.

[0141]FIG. 6 is a flow chart for illustrating in detail the processingin the step 204 shown in FIG. 2. In the following, contents of theprocessings in the individual steps shown in FIG. 6 will be described byfollowing the sequence.

[0142] Step 601: The processing procedure is started.

[0143] Step 602: On the basis of the finite field order p stored in theEEPROM 104, computation for determining (p−3) is performed. In thatcase, in the binary notation of (p−3) given by

[0144] (p−3)=(j_(l), j_(l−1), . . . , j₁, j₀)2, where j_(l)=1, the valueof l is stored in the loop counter i as the information indicating thenumber of times the residual multiplication arithmetic is to berepeated.

[0145] Step 603: The Z-coordinate of the point determined by thearithmetic operation in the step 203 is stored in the data registers CDAand CDB incorporated in the residual multiplier 107. On the other hand,the value of p is stored continuously in this data register CDN of theresidual multiplier 107, because the value of p stored in the dataregister CDN in the step 303 is held unchanged.

[0146] Step 604: The loop counter value i is decremented by one.

[0147] Step 605: Decision is made as to the loop counter value i. If theloop counter value i is smaller than 0 (zero), then the processingproceeds to a step 609 and, if otherwise, to a step 606.

[0148] Step 606: The residual arithmetic 2 defined hereinbefore isexecuted by using the residual multiplier 107.

[0149] Step 607: Decision is made as to the value j_(i) for the loopcounter value i of (p−3). Unless the value j_(i) is equal to 1 (one),the step 604 is resumed. If otherwise, the processing proceeds to a step608.

[0150] Step 608: The residual arithmetic 1 is executed by using theresidual multiplier 107, whereon the step 604 is resumed.

[0151] Step 609: The X-coordinate of the point determined by thearithmetic operation in the step 203 is stored in the data register CDBincorporated in the residual multiplier 107. At this time point, thevalue “Z^(p−3)R mod p” is stored in the data register CDA.

[0152] Step 610: The residual arithmetic 1 is executed by means of theresidual multiplier 107. As a result of this, there is stored in thedata register CDA the value “XZ^(p−3)R mod p”, i.e., the value given by“xR≡XZ⁻²R (mod p)” resulting from transformation of the X-coordinate ofthe two-dimensional affine coordinate system obtained after theexecution of the step 203 into an operation range of the residualmultiplier.

[0153] Step 611: The residual arithmetic 3 is executed by using theresidual multiplier 107. As a result of this, there is stored in thedata register CDA the value “XZ⁻² mod p”, i.e., the value of theX-coordinate given by “x≡XZ⁻² (mod p)” of the two-dimensional affinecoordinate system obtained after execution of the step 203. In the steps604 to 608 described above, 1/Z² is transformed into the multiplicativeinverse Z⁻² for determining 1/Z² in the operation for determining X/Z²,whereupon the value of X/Z² is determined by the residual multiplier107.

[0154] Step 612: The processing now comes to an end.

[0155] As is apparent from the foregoing, in the scheme or system taughtby the present invention, the multiple length residual multiplicationarithmetic function of the residual multiplier 107 is made use of. Thus,there arises no necessity of performing the multiple length residualmultiplication arithmetic by using the CPU 102. Consequently, the numberof the arithmetic processing steps can be decreased, which in turn meansthat the processing speed can be increased.

[0156]FIG. 7 is a flow chart for illustrating in detail the processingin the step 205 shown in FIG. 2. In the following, contents of theprocessings in the individual steps shown in FIG. 7 will be described.

[0157] Step 701: The processing procedure is started.

[0158] Step 702: The value “x mod p” of the X-coordinate of k·Pcalculated in the step 204 is stored in the data register CDA of theresidual multiplier 107.

[0159] Step 703: The value “R mod n” stored in the EEPROM 104 is placedin the data register CDB of the residual multiplier 107.Parenthetically, R represents a value inherent to the co-processor and nrepresents order of the base point P on the elliptic curve.

[0160] Step 704: The order n of the base point stored in the EEPROM 104is placed in the data register CDN of the residual multiplier 107.

[0161] Step 705: The residual arithmetic 1 defined hereinbefore isexecuted by means of the residual multiplier (co-processor) 107. Thisresult is held in the data register CDA where the value “x mod n” isstored which represents the signature given by “r≡x (mod n)”. Insuccession, the processing proceeds to steps 706 to 713 for determiningthe signature s.

[0162] Step 706: The value “R² mod n” stored in the EEPROM 104 is placedin the data register CDB of the residual multiplier 107.

[0163] Step 707: The residual arithmetic 1 defined hereinbefore isexecuted by means of the residual multiplier 107. As a result of this,the value “rR mod n” is determined to be stored in the data registerCDA.

[0164] Step 708: The secret key d stored in the EEPROM 104 is placed inthe data register CDB of the residual multiplier 107 in response toactivation of the IC card by a signer.

[0165] Step 709: The residual arithmetic 1 is executed by means of theresidual multiplier 107 in response to the activation of the IC card bythe signer. As a result of this, the value “dr mod n” is determined tobe stored in the data register CDA.

[0166] Step 710: A sum of the hash value H(M) for the message M and thevalue “d·r mod n” determined in the aforementioned step 709 isdetermined, whereon the value “(H(M)+d·r) mod n” is stored in the RAM106.

[0167] Step 711: The multiplicative inverse “k⁻¹R mod n” is calculatedthrough the residual multiplication arithmetic given by “k^(n−2)R mod n”with the residual multiplier 107. Concerning the calculation method tothis end, reference should be made to the processing routine extendingfrom the steps 601 to 609 inclusive. The above calculation will resultin a value “k⁻¹R mod n” which is stored in the data register CDAincorporated in the residual multiplier 107.

[0168] Step 712: The value “(H(M)+d·r) mod n” stored in the RAM 106 inthe step 710 is placed in the data register CDB of the residualmultiplier 107.

[0169] Step 713: The residual arithmetic 1 defined hereinbefore isexecuted by means of the residual multiplier 107. As a result of this,the value “k⁻¹·(H(M)+d·r) mod n” can be determined to be stored in thedata register CDA, whereon this value is outputted as the signatures≡k⁻¹·(H(M)+d·r) (mod n).

[0170] Step 714: The processing comes to an end.

[0171] With a view to confirming the effects which can be achieved withthe present invention, a program conforming to the processing proceduredescribed above in conjunction with the illustrative embodiment of theinvention was prepared and the execution time was measured with theoperation clock of the CPU being set to 5 MHz.

[0172] More specifically, k·P operation on the elliptic curve of 160-bitkey length was performed in the three-dimensional projective coordinatesystem by using 80 reference tables each indicating a value of a pointcorresponding to by-4-exponentiation of a base point. Furthermore, themultiplicative inverse was realized on the basis of combination of theFermat's theorem and the binary operation method. For execution, Hitachimicrocomputer model No. H8/3111 emulator for an IC card incorporating amultiple length remainder multiplication arithmetic co-processor wasemployed with assembler being used as the program language. The resultof experiment shows that the signature generating time (i.e., time takenfor execution of the steps 201 to 206 inclusive) through the 160-bit keylength elliptic curve encryption method is 0.308 sec/signature.

[0173] As is apparent from the foregoing description, the residualmultiplication arithmetic and the residual division arithmetic areperformed by using the residual multiplier with the residual additionarithmetic and the residual subtraction arithmetic being executed by theCPU while referencing the values determined previously and stored in amemory. Thus, according to the present invention, the elliptic curveencryption processing can be executed at a very high speed.

[0174] Although the foregoing description has been made with emphasisbeing put on the digital signature generating processing, the presentinvention is never restricted to the digital signature generatingprocessing. It goes without saying that the teachings of the presentinvention can equally find application to signature verifying processingand cipher generating processing with enhanced processing speed.

[0175] Furthermore, the present invention is never restricted to the ICcard. The teachings of the present invention can equally be applied to adevice incorporating the CPU of a limited processing capability and amultiplier. Accordingly, the phrase “IC card” used herein should be sointerpreted as to cover such device as mentioned just above. By way ofexample, the teachings of the present invention can be applied to amicrocontroller designed for carrying out authentication processing,IEEE 1394 LSI for encryption processing. Such applications are mentionedin NIKKEI ELECTRONICS, No. 732, Dec. 14, 1998, pp. 27 to 28.

[0176] Although it has been described that the EEPROM is employed as therewritable nonvolatile memory 104, the present invention is neverrestricted thereto. The flash memory known in the art can equallyemployed as the rewritable nonvolatile memory. Besides, the ROM 103 maybe implemented by using a flash memory. Additionally, the multiplicativeinverse arithmetic module in which the residual multiplier 107 shown inFIG. 1 is employed may be implemented as a single integrated unit or acombination of components in the form of software such as medium adaptedto be read by the processor or in the form of hardware. Themultiplicative inverse arithmetic module can ensure wide variety ofapplications regardless of general-purpose application or destinedpurpose application.

[0177] As will now be appreciated from the foregoing description,according to the present invention, the digital signature generatingprocessing based on the elliptic curve can be realized efficiently bymaking use of the residual multiplication arithmetic effectively. Thusthe present invention has provided a method and device which allows thedigital signature generating processing to be executed at a high speedin a device equipped with a residual multiplier.

[0178] Many modifications and variations of the present invention arepossible in the light of the above techniques. It is therefore to beunderstood that within the scope of the appended claims, the inventionmay be practiced otherwise than as specifically described.

What is claimed is:
 1. An IC card, comprising: message receiving meansfor receiving a message (M) from an input/output terminal by way of aninput/output port; public key encryption processing means for performingelliptic curve encryption processing on said message (M); and outputmeans for outputting result of the processing executed by said publickey encryption processing means from the input/output terminal via theinput/output port, wherein said public key encryption processing meanscomprises: multiple length arithmetic means for calculating throughmultiple length residual multiplication arithmetic values “ABR⁻¹ mod N”,“A²R⁻¹ mod N”, and “AR⁻¹ mod N” representing, respectively, numericalvalues to undergo computation which make appearance in intermediatearithmetic processing for positive integers A, B, N and R, wherein A andB represent, respectively, variables which are given by input variablesand/or interim variables, N represents a variable given as an inputvariable, and R represents a numerical value given as a constant; andcomputation means for performing multiplication and multiplicativeinverse arithmetic on a finite group by using said multiple lengtharithmetic means.
 2. An IC card according to claim 1, wherein saidmultiple length arithmetic means is constituted by a co-processor, andwherein said variable R represents a constant determined in dependenceon performance of said co-processor.
 3. An IC card according to claim 1,wherein said computation means includes multiplicative inversearithmetic means for performing arithmetic operation represented by “k⁻¹mod n” for a positive integer k which is relatively prime n by resortingto residual multiplication arithmetic represented by “k^((n-2)) mod n”with the aid of said multiple length arithmetic means.
 4. An IC cardaccording to claim 1, wherein said public key encryption processing isan elliptic curve encryption processing, further comprising: arewritable nonvolatile memory for storing previously at least one ofnumerical values given by “2R mod p”, “3R mod p”, “4R mod p”, “8R modp”, “2⁻¹R mod p”, “aR mod p”, “R mod p”, “R² mod p”, “R mod n”, and “R²mod n”, respectively, where R represents a positive integer whichsatisfies a condition that R>p, R>n for order (p) of a finite field whenan elliptic curve (Ep) on the finite field is given by “y²≡x³+ax+b (modp)”, wherein said rewritable nonvolatile memory can be referenced bysaid multiple length arithmetic means.
 5. An IC card according to claim1, further comprising: a rewritable nonvolatile memory for storingpreviously values of points corresponding to positive integer multipliesof a base point (P) on said elliptic curve, wherein said values of thepoints corresponding to the positive integer multiplies of the basepoint (P) can be referenced by said multiple length arithmetic means. 6.An encryption processing method for an IC card having a co-processor,comprising the steps of: receiving a message (M) from an input/outputterminal by way of an input/output port; performing elliptic curveencryption processing on said message (M); and outputting result of theprocessing executed in said elliptic curve encryption processing stepfrom the input/output terminal via the input/output port, wherein saidelliptic curve encryption processing step comprises the steps of:calculating through multiple length residual multiplication arithmeticby using said co-processor values “ABR⁻¹ mod N”, “A²R⁻¹ mod N”, and“AR⁻¹ mod N” representing, respectively, numerical values to undergocomputation which make appearance in intermediate arithmetic processingfor positive integers A, B, N and R, wherein A and B represent,respectively, variables which are given as input variables and/orinterim variables, N represents a variable given as an input variable,and R represents a numerical value given as a constant; and executingmultiplication and multiplicative inverse arithmetic on a finite groupby using said co-processor.
 7. An encryption processing method accordingto claim 6, wherein said computation step includes a substep ofexecuting a multiplicative inverse arithmetic for performing arithmeticoperation represented by “k⁻¹ mod n” for a positive integer k which isrelatively prime to a prime number n by resorting to residualmultiplication arithmetic represented by “k^((n−2)) mod n” with the aidof said co-processor.
 8. A program stored in a recording medium forperforming encryption processing for an IC card having a co-processor,comprising the instruction steps of: receiving a message (M) from aninput/output terminal by way of an input/output port; performingelliptic curve encryption processing on said message (M); and outputtingresult of the processing executed in said elliptic curve encryptionprocessing step from the input/output terminal via the input/outputport, wherein said elliptic curve encryption processing step comprisesthe substeps of: calculating through multiple length residualmultiplication arithmetic by using said co-processor values “ABR⁻¹ modN”, “A²R⁻¹ mod N”, and “AR−¹ mod N” representing, respectively,numerical values to undergo computation which make appearance inintermediate arithmetic processing for positive integers A, B, N and R,wherein A and B represent, respectively, variables which are given asinput variables and/or interim variables, N represents a variable givenas an input variable, and R represents a numerical value given as aconstant; and executing multiplication and multiplicative inversearithmetic on a finite group by using said co-processor.
 9. Amultiplicative inverse arithmetic module destined for use in anelectronic device incorporating an encryption processing unit includinga residual multiplier, for performing at high-speed arithmetic operationgiven by “k⁻¹ mod n” on a positive integer k which is to be generatedand which is relatively prime to a prime number n in an encryptionprocessing by using said residual multiplier having performance by whicha constant (R) is determined, comprising: first means for calculating“kR mod n” with said residual multiplier, result of said calculationbeing set equally in a first register (CDA) and a second register (CDB),second means for squaring and multiplying by R⁻¹ the value of said firstregister, result of which is stored in said first register to modulus n;third means for multiplying the values of said first register and saidsecond register and then multiplying the multiplied value by R⁻¹, resultof which is stored in said first register to modulus n; and fourth meansfor determining “k^((n−2)) mod n” by repeating processings executed bysaid first means and said second means.
 10. A multiplicative inversearithmetic module according to claim 9, wherein said residual multiplieris constituted by a co-processor.
 11. A semiconductor chip according toclaim 10, comprising: a multiplicative inverse arithmetic module.
 12. AnIC card including an encryption processing unit according to claim 11,wherein said IC card includes a semiconductor chip packaging amultiplicative inverse arithmetic module.
 13. An IC device forgenerating digital signature by resorting to an elliptic curveencryption, comprising: first means for generating a random number tomodulus n, where n represents order, second means for scalarmultiplication or addition arithmetic for calculating a pointcorresponding to a known point on an elliptic curve multiplied with k bymeans of a residual multiplier; and third means for determining a value“r=x mod n” with point k·P on the elliptic curve being inputted and thendetermining a value s by using the determined value r with the aid ofsaid residual multiplier, said values r and s constituting parts of adigital signature, to thereby generate a digital signature.
 14. An ICdevice according to claim 13, wherein said residual multiplier isconstituted by a co-processor.